How to create an incident response plan


Six steps for effective Incident Response planning.

Cyberattacks have significantly increased over the years and are now more complex than ever. In order to safeguard your business from vulnerabilities, it is important to ensure that you have a cyber incident response plan in place that can be activated in times of crisis—especially when your reputation, revenue, and customer relationships are on the line.

Much like fire drills, incident response is a business process that should be actively and regularly practiced such that it becomes second nature even during high-pressure situations.

An incident response plan must be put in place to guide in mitigating attacks and recovery. This plan must follow the SANS Institute and NIST prescribed processes for a methodical and more organized approach.

However, it must be noted that not all cybersecurity incidents are similar in nature and importance. While some may require rigid investigations due to the complexity of the attack and the size of the damage, others might simply be login failures or isolated cases.

That said, your company must keep a list of possible event and incident types with specifics on when each event needs a thorough investigation. You will then have to modify your incident response processes accordingly.

How do you make a cyber incident response plan?

Before elaborating on each step of the Incident Response Process, please observe the phases developed by SANS Institute and NIST that must be considered in conducting incident response:

SANS institute:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned


  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

From the get-go, both SANS Institute and NIST clearly have similar elements and order. The only difference is that NIST has grouped some elements into a single step. Nevertheless, both programs provide guidance on key considerations for building an effective incident response plan which we have outlined below.


'Preparation' not only better arms the IR efforts in case of a future incident but it will also greatly reduce the risk that a response will be required in the first place.

This stage is critical, and much effort should be put to ensure the organization is as prepared as possible.

Some (non-exhaustive) questions to consider:

  • What elements comprise your security infrastructure?
  • Who is in your response team?
  • Who are the decision-makers?
  • Do you need experts in Media, Legal, HR, or IT Systems?
  • Do you have reporting obligations to external authorities? If so, who will liaise with them and when?
  • Do you have adequate internal skills or do you need trusted partners to assist?
  • Are you capable of capturing evidence for use in potential criminal or civil proceedings?

Prioritize your assets. This includes listing not just your critical assets but even your systems, networks, servers, and applications. Assess their value and rank them based on importance. Then, observe the traffic patterns for these assets. Determine the norm and be aware of any discrepancies.

Set up appropriate policies and standards to follow in different situations such as network access, login guidelines, use of strong passwords, file sharing, as well as email and other platform access.

Strategize on how to manage the different types of cases and incidents. Rank each possible event base on priority, severity, and organizational impact. Provide notes on each event, specifying how it can be solved, what steps to take to remediate it, and what tools to use, if any.

Set up a communication plan among all stakeholders involved. Assign responsibilities among individual contact persons, what form of communication to use, when they should be contacted and during which kinds of incidents. Do not forget to include and collaborate with the Legal, HR, and Procurement teams (including external partners) to move forward with requests much more quickly and efficiently.

Properly document all events and provide updates. Include information about checklists, questions to be answered in case of emergencies, instructions, and other important information. Conduct regular cyber hygiene checks and updates.

Provide access control, tools, and training. You must give specific access to the company’s network and systems to your incident response team in order for them to conduct all necessary actions to mitigate the crisis. Likewise, proper cyber incident response tools and training must be available to them to ensure that they are well-equipped to fix issues that will be discovered during the incident.

"An organization's network will host literally millions of 'events' ... The trick is to be able to identify the events that are unauthorized or have an adverse impact on your systems and business"

Identification (or detection and analysis)

An organization's network will host literally millions of events. These include system log-ons, software updates, network connections established. Over 99.9% of these events are usually normal behavior for your environment.

The trick is to be able to identify the event or events that are unauthorized or have an adverse impact on your systems and business. These are called 'incidents', and incidents must be investigated.

In order to prevent incidents from happening, three basics steps are essential. Firstly, regular and strict monitoring must be observed. This will help in detecting and reporting any anomalies or potential security risks. Monitoring security events include constant review of log files, error messages, intrusion detection systems and firewalls.

At the onset of an attack, identifying the root cause of the breach is the main objective. Gather all necessary details about the incident. Find out who, what, when, where, and how it happened. Check from different entry points and indicators including user accounts, system administrators, network administrators, the SIEM, and logs.

Alert and report the incident to the proper authority by submitting an incident ticket. Classify the incident based on the provided incident types. Analyze and record the extent of the event, especially its damage to the systems—if any.


While this is the step in the incident response handling process where SANS Institute and NIST differ the most, the essential focus in both is to contain damage, eradicate all threats and restore systems back online.

Part of containing the damage is to ensure that the incident will not escalate further. This includes isolating the infected accounts, servers, or networks to the rest of the environment; backing up files and systems; and temporarily repairing any damaged material. Aside from these, it is important to keep all evidence safe from destruction.

Note that managing containment can be tricky as many stakeholders may be affected and certain efforts may even tip off the attackers that you are aware of their efforts. As such, decision-makers need to be informed and empowered to make critical choices at this stage. Consideration must be given to balancing the risk of continuing normal operations with the actions required to mitigate the threat.


Following Identification and Containment, there should be enough information to determine the root cause of the incident and how to best disrupt the attacker and remove them from your environment. The priority is to neutralize and remove all threats, including malicious activities and contents. Consider conducting a complete reimaging of the system’s hard drive to safeguard from subsequent attacks.


Any affected systems or platforms will need to be restored to proper working order following an incident. Examine any connected or related systems to ensure they are operating as normal with no signs of compromise.

Security professionals must coordinate these efforts with the business and operations teams to minimize disruption and maximize efficiency. Lastly, recovery requires establishing more sophisticated monitoring and detection techniques for combating future threats.

Cyber Incident Response Lessons Learned (or Post-Incident Activity)

The final step in the incident handling process involves the assessment of the entire incident, from how it was prepared for, managed, and addressed. At Blackpanda, we support our clients at this stage through our cyber incident response reports. While many firms regrettably skip this process, it is absolutely essential to recognize your victories and failures during the entire process, as this provides you with a great cyber incident response case study  that is directly applicable to your business, informing your future incident response planning.

Systematic reflection highlights areas for improvement for the future, along with those that should be kept up. This final step serves as training, from which you are able to use to update your current incident response plan and the list of incidents you have already encountered.

What did the organization and stakeholders learn from this incident? Could the incident have been prevented? Was it handled correctly? Do we have the right people and resources to detect and manage such incidents in the future?

Prepare briefings for the board, shareholders, and reporting agencies where required, and always remember: security is ultimately a human problem – can we better train our employees in any way?

Putting It All Together​

Cyber attacks have become a certainty in the lifetime of a business, and preparation is the only way that organizations can build adequate resilience to the evolving cyber threats.

An effective incident response plan is one that is grounded in the NIST and SANS frameworks. Key steps of pre-breach and post-breach cyber security include preparation, identification, containment, eradication and recovery, as well as post-breach learning.

As Asia’s premier Digital Forensics and Incident Response provider, Blackpanda supports your organization in building an incident response plan that it tailored to your specific business and industry, being hyper-focused on tackling threats in the Asian landscape.
Contact us to learn more about our incident response planning services or to report a breach.

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.